Forum Discussion
NimbostratusDNS Query Flow
Hi Everyone,
I have a small query realted to DNS query and how GTM works.
I have GTM configured with 2 ISP links and acts as DNS. Now i need to know the following
1) A client makes a query for www.company.com , the LDNS of the client does not have the IP for this domain so it will perform the DNS process.
2) After receiving the reply from the GTM the client LDNS will save the IP of www.company.com i.e. it will be cashed. Lets say this IP is from ISP1.
3) Another client makes a request via the same LDNS for www.company.com so the LDNS will return the cashed IP of company.com .
4) Now if the 3rd user comes and queries for the same domain and the LDNS returns the same cashed IP Address, but at this moment ISP1 link goes down so the website will become unavaliable to this 3rd user.
5) What will happen during this situation.
Do I have any mis understanding in this explanation.
Regards,
19 Replies
TechgeeegHi Gregory,
Thanks for the input i do agree to your point that the traffic processed by LTM is far more than what is processed by GTM but in my above question I am only talking about GTM not LTM..... as per my understanding BIG-IP with only GTM module is not going to offer any protection against DDos it needs to have the AFM module and/or ASM module to be more robust towards providing the security layer against DDOs. So BIG-IP with only GTM module will get under attack for sure... unless we are playing with irule but even for that we have limit it can't be dynamic.
Regards,
Gregory_ThiellEmployee
Techgeeeg, You should treat legitimate traffic and bad traffic separately. You just jumped from one topic (controlling the TTL) to another (being attacked). These are two unrelated things. You understand that changing the TTL will not prevent you from being attacked. For the legitimate traffic, you might have a good reason not to compare LTM and GTM traffic while evaluating the bandwidth. For example, one connection is dedicated to DNS requests and there is no other traffic on the link (never seen that before, but why not). In all other cases, because you know that DNS will always be a tiny percentage of your actual traffic (HTTP), you don't need to worry about it too much. Now if you prefer, you can calculate the maximum number of DNS responses your bandwidth could handle... Take the average DNS packet size (it's usually about 100 Bytes = 800 bits). If your bandwidth is only 10 Mb/s, 10,000,000/800 = 12,500 DNS responses per second. If that's not enough, it means you need a bigger bandwidth. Regarding bad traffic, implementing only the GTM module can already help you protect against DDoS attacks. Implementing DNS Express is a good example (DNS Express is a GTM feature that is also available with LTM). Now if you want more control then yes, you should provision and configure AFM. As for ASM, it doesn't do anything with DNS in its current version.
Techgeeeg_28888Hi Gregory,
Thanks for the input i do agree to your point that the traffic processed by LTM is far more than what is processed by GTM but in my above question I am only talking about GTM not LTM..... as per my understanding BIG-IP with only GTM module is not going to offer any protection against DDos it needs to have the AFM module and/or ASM module to be more robust towards providing the security layer against DDOs. So BIG-IP with only GTM module will get under attack for sure... unless we are playing with irule but even for that we have limit it can't be dynamic.
Regards,
- Gregory_ThiellTechgeeeg, You should treat legitimate traffic and bad traffic separately. You just jumped from one topic (controlling the TTL) to another (being attacked). These are two unrelated things. You understand that changing the TTL will not prevent you from being attacked. For the legitimate traffic, you might have a good reason not to compare LTM and GTM traffic while evaluating the bandwidth. For example, one connection is dedicated to DNS requests and there is no other traffic on the link (never seen that before, but why not). In all other cases, because you know that DNS will always be a tiny percentage of your actual traffic (HTTP), you don't need to worry about it too much. Now if you prefer, you can calculate the maximum number of DNS responses your bandwidth could handle... Take the average DNS packet size (it's usually about 100 Bytes = 800 bits). If your bandwidth is only 10 Mb/s, 10,000,000/800 = 12,500 DNS responses per second. If that's not enough, it means you need a bigger bandwidth. Regarding bad traffic, implementing only the GTM module can already help you protect against DDoS attacks. Implementing DNS Express is a good example (DNS Express is a GTM feature that is also available with LTM). Now if you want more control then yes, you should provision and configure AFM. As for ASM, it doesn't do anything with DNS in its current version.
- Techgeeeg
Hi Cory,
I missed out your above reply... i do agree with you that DNS doesn't really have much impact on my situation but the main reason to use GTM as a DNS over the Generic DNS (BIND, MS DNS) is that it monitors the availability of ISP links and based on that it provides the IP address of the active link. That is the reason I am concerned about tweaking the configuration and minimizing the TTL to avoid a situation where the user tries to connect to the IP of the unavailable link or else i set the GTM to reply back with all the possible IP addresses.
Regards,
- Techgeeeg
Hi Gregory,
Thanks man appreciate your response.... just one point... I know the DNS express tab appears in LTM but I believe unless the box is license for GTM this feature won't work, correct me if I am wrong. Also I need to further understand your point when you say " implementing only the GTM module can already help you protect against DDoS attacks" two points comes to my mind.
-
The no. of queries that the GTM can answer per second is very huge so in order to bring down this box the setup (attack) that may generate very huge amount of query is not easy to setup.
-
On GTM we can configure iRules to accept or block certain types of queries so that is one of the ways to enable protection.
What are more features that the GTM can offer that I have missed can you pls highlight.
Regards,
- Gregory_ThiellAs I said, DNS Express is a GTM feature that is also available with LTM. To my knowledge, it should work even if GTM is not licensed nor provisioned. However, to make sure you can confirm with sales and with what is displayed under System > License. As for the features of GTM, you can start here: https://www.f5.com/pdf/products/big-ip-global-traffic-manager-overview.pdf If you have more questions, I encourage you to talk to an F5 sales rep. I'm just a consultant. :)
-
- Techgeeeg_28888
Hi Gregory,
Thanks man appreciate your response.... just one point... I know the DNS express tab appears in LTM but I believe unless the box is license for GTM this feature won't work, correct me if I am wrong. Also I need to further understand your point when you say " implementing only the GTM module can already help you protect against DDoS attacks" two points comes to my mind.
-
The no. of queries that the GTM can answer per second is very huge so in order to bring down this box the setup (attack) that may generate very huge amount of query is not easy to setup.
-
On GTM we can configure iRules to accept or block certain types of queries so that is one of the ways to enable protection.
What are more features that the GTM can offer that I have missed can you pls highlight.
Regards,
- Gregory_ThiellAs I said, DNS Express is a GTM feature that is also available with LTM. To my knowledge, it should work even if GTM is not licensed nor provisioned. However, to make sure you can confirm with sales and with what is displayed under System > License. As for the features of GTM, you can start here: https://www.f5.com/pdf/products/big-ip-global-traffic-manager-overview.pdf If you have more questions, I encourage you to talk to an F5 sales rep. I'm just a consultant. :)
-
